Archive

This Article explains the concept of transferring personal data from EU to third countries, what those third countries mean, the principles for making such transfers legitimate and the derogations from these principles, and last but not least, the transfer mechanisms of personal data to third countries.

Considering the legal requirements of the Directive 95/46/EC, Article 25… the transfer to a third country of personal data which are undergoing processing or are intended for processing after transfer may take place only if… the third country in question ensures an adequate level of protection…this Article provides three legal mechanisms for such transfers:

-Safe Harbor Agreement principles – for Organizations or entities located in the U.S.

The Article provides Organizations or entities with all current available mechanisms for data transfer from the European Union to third countries, regardless if those Organizations are independent-single entities or multinational ones.

This Article was written by Dan Manolescu. If interested, you could read the full Article published by InfoSec Institute here.

If you would like to find out more about InfoSec, you could visit this page here.

This is the last post of a series brought you by E-Crime Expert, that aims to make the readers and data subject familiar to the most common terminology in order to better understand and protect their personal data and privacy.

Reliability is the property of consistent intended behavior and results.

Residual Risk (Information Security)

Residual risks are the risks that remain after risk treatment or, in other words, after protective measures were introduced.

Right of rectification

Anyone can have incorrect data relating to him rectified free of charge, and have other data erased if they are irrelevant, incomplete or prohibited, or have the use of those data prohibited. If the controller does not react, the data subject may address the Commission, which will attempt to mediate. The data subject may also submit a complaint to the judicial police.

Right to object

You may always object to the use of your data, provided that you have serious reasons for this. You cannot object to a data processing operation that is required by a law or a regulatory provision, or that is necessary to perform a contract you have entered into. However, you always have the right to object to the illegitimate use of your data and can always object free of charge and without justification if your data are processed for direct marketing purposes.

To object you have to send a dated and signed request, including a document proving your identity (for example a copy of your identity card) to the controller by letter or by fax (a request by e-mail is only accepted with an electronic signature). The request can also be submitted on the spot. The controller then has one month to reply. If he fails to do so or if his reply is not convincing, you can address the Commission, which will try to mediate. You can also take your case to court.

Risk (Information Security)

A risk is the potential that a given threat will exploit vulnerabilities of an asset or group of assets and thereby cause harm to the organization (for example a virus deleting a file). It is measured in terms of a combination of the probability of an event and its consequence.

A risk is characterized by two factors: the probability that an incident will occur and the gravity of the potential direct consequences and the indirect impact.

The risk can also depend on time: the situation can become worse after an incident if adjusting measures are not taken in time (for instance a software glitch infecting a database, spyware retrieving passwords, encrypted codes or pin numbers). That way, an innocent incident can have disastrous consequences.

Risk Management (Information Security)

Risk management identifies the most important risks and distinguishes between the risks that have to be taken care of and acceptable risks. It uses security resources that deal with the dangers for personal data according to a scale of priorities. The risk management process constitutes a cycle that is repeated depending on the particular characteristics of the systems and the identified risks. Risk management results in final processes and an updated security policy, and often also in adaptations to the organization and its procedures in order to better take into account possible new risks, as well as the measures that have been taken.

(S) Safe Harbor Principles

In consultation with the European Commission, the American Department of Commerce elaborated the Safe Harbor Principles, intended to facilitate the transfer of personal data from the European Union to theUnited States. If companies make a statement to the American Department of Commerce agreeing with these principles and declaring they are prepared to respect them (meaning, among other things, that the American Federal Trade Commission can check whether theyr respect these principles), they are considered as companies ensuring adequate safeguards for data protection.

Security measures (Information Security)

Security measures, also called “protective measures” or “security controls”, are procedures or decisions that limit risks. Security measures can be effective in several ways: by lessening possible dangers, correcting vulnerabilities or limiting the possible direct consequences or indirect impact. It is also possible to work with time: if incidents are traced better and sooner, action can be taken before the situation gets any worse.

Sensitive data

Certain personal data are more sensitive than others. An individual’s name and address are rather innocent data, but this does not hold true for his political opinions, sexual preferences or judicial past. The Privacy Law regulates registration and use of those sensitive data more strictly in comparison with other personal data.

For persons wishing to transfer data outside the European Community, the European Commission has elaborated standard contractual clauses, which allow for a data transfer meeting the European legal conditions for data protection (article 25 ff of Directive 95/46/EC). In other words, the parties signing these contracts are considered as parties ensuring adequate safeguards for the protection of privacy.

(T) Threat (Information Security)

A threat is any unexpected event that can damage one of the enterprise’s assets and therefore prejudice personal data protection.

to have been freely given. In other words, the data subject was not pressurised to say “yes”;

to be specific, meaning that the consent relates to a well-defined processing operation;

to be informed. The data subject has received all useful information about the planned processing.

It is not necessary for the consent to be given in writing, but oral consent does create problems with the burden of proof in case of difficulties.

(V) Vulnerability (Information Security)

Vulnerability is the weakest link of an asset or a group of assets that can be exploited by one or more imminent dangers (developer’s mistake, wrong installation). In most cases vulnerability is due to the fact that an asset is not sufficiently protected, rather than to the asset itself.

Vulnerability in itself is not harmful to the organization. Only when an imminent danger can accidentally use the vulnerability and possible special circumstances, a damaging incident can occur.